Full disk encryption without a boot partition

mhca12 mhca12 at gmail.com
Thu Dec 27 14:40:28 PST 2012


On Thu, Dec 27, 2012 at 11:00 PM, Alex Hornung <alex at alexhornung.com> wrote:
> On 27/12/12 22:13, mhca12 wrote:
>> On Thu, Dec 27, 2012 at 10:08 PM, Alex Hornung <alex at alexhornung.com> wrote:
>>> On 26/12/12 22:19, mhca12 wrote:
>>>> Are there any plans or is there already support for full
>>>> disk encryption without the need for a boot partition?
>>>
>>> No, the userland tool that sets up the decryption of the root partition,
>>> as well as the kernel and modules need to be somewhere that is not
>>> encrypted - otherwise the boot loader would need to support the disk
>>> encryption.
>>
>> Seems like OpenBSD 5.2's bootloader can do that.
>> Any idea how they did it?
>
>  I didn't say that it's impossible, I just stated what would be
> required. There are no plans to do any such thing in DragonFly BSD, as
> there is pretty much no point. Doing it in any other way than with the
> separate /boot partition overcomplicates everything by an order of
> magnitude (since, for example, the setup cannot occur in userland
> anymore) for no real benefit.

Sorry that I wasn't precise. I meant to say I find it hard to believe that
OpenBSD extended the bootloader to do decryption.
Your stated reasons make a lot of sense and I will try to find out
how it works in OpenBSD because I'm curious.



More information about the Users mailing list